API Reference

Zero Trust

Access

Logs

Access Requests

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Get Access authentication logs

GET/accounts/{account_id}/access/logs/access_requests

Gets a list of Access authentication audit logs for an account.

Security

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Access: Audit Logs Read

Path ParametersExpand Collapse

account_id: string

Identifier.

maxLength32

Query ParametersExpand Collapse

allowedOp: optional "eq" or "neq"

Operator for the allowed filter.

One of the following:

"eq"

"neq"

app_typeOp: optional "eq" or "neq"

Operator for the app_type filter.

One of the following:

"eq"

"neq"

app_uidOp: optional "eq" or "neq"

Operator for the app_uid filter.

One of the following:

"eq"

"neq"

country_codeOp: optional "eq" or "neq"

Operator for the country_code filter.

One of the following:

"eq"

"neq"

direction: optional "desc" or "asc"

The chronological sorting order for the logs.

One of the following:

"desc"

"asc"

email: optional string

Filter by user email. Match mode is controlled by emailOp (preferred) or the legacy email_exact flag.

• Default (no emailOp, email_exact=false or unset): substring match — email=@example.com returns all events with that domain.
• Exact match: set emailOp=eq (preferred) or email_exact=true — e.g. email=user@example.com&email_exact=true returns only that user.
• Explicit substring match: set emailOp=contains (without email_exact=true). When both are set, email_exact=true takes precedence and the match is exact.
• Exclusion: set emailOp=neq. With email_exact=true this is an exact-value exclusion; without it, a fuzzy substring exclusion.

formatemail

email_exact: optional boolean

When true, email is matched exactly instead of substring matching.

emailOp: optional "eq" or "neq" or "contains"

Operator for the email filter. contains performs a substring (case-sensitive) match. When email_exact=true is also set, email_exact takes precedence and contains is ignored.

One of the following:

"eq"

"neq"

"contains"

fields: optional string

Comma-separated list of fields to include in the response. When omitted, all fields are returned.

idpOp: optional "eq" or "neq"

Operator for the idp filter.

One of the following:

"eq"

"neq"

limit: optional number

The maximum number of log entries to retrieve.

non_identityOp: optional "eq" or "neq"

Operator for the non_identity filter.

One of the following:

"eq"

"neq"

page: optional number

Page number of results.

per_page: optional number

Number of results per page.

ray_idOp: optional "eq" or "neq"

Operator for the ray_id filter.

One of the following:

"eq"

"neq"

since: optional string

The earliest event timestamp to query.

formatdate-time

until: optional string

The latest event timestamp to query.

formatdate-time

user_id: optional string

Deprecated. Accepted for backward compatibility but no longer applied as a filter. Use email instead.

formatuuid

user_idOp: optional "eq" or "neq"

Deprecated. Accepted for backward compatibility but no longer applied as a filter (the user_id parameter is itself deprecated).

One of the following:

"eq"

"neq"

ReturnsExpand Collapse

errors: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

messages: array of object { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional object { pointer }

pointer: optional string

success: true

Whether the API call was successful.

result: optional array of AccessRequest { action, allowed, app_domain, 6 more }

action: optional string

The event that occurred, such as a login attempt.

allowed: optional boolean

The result of the authentication event.

app_domain: optional string

The URL of the Access application.

app_uid: optional string

The unique identifier for the Access application.

connection: optional string

The IdP used to authenticate.

created_at: optional string

formatdate-time

ip_address: optional string

The IP address of the authenticating user.

ray_id: optional string

The unique identifier for the request to Cloudflare.

maxLength16

user_email: optional string

The email address of the authenticating user.

formatemail

Get Access authentication logs

HTTP

HTTP

TypeScript

Python

Go

Terraform

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/access_requests \
    -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \
    -H "X-Auth-Key: $CLOUDFLARE_API_KEY"

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": [
    {
      "action": "login",
      "allowed": true,
      "app_domain": "test.example.com/admin",
      "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630",
      "connection": "saml",
      "created_at": "2014-01-01T05:20:00.12345Z",
      "ip_address": "198.41.129.166",
      "ray_id": "187d944c61940c77",
      "user_email": "user@example.com"
    }
  ]
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": [
    {
      "action": "login",
      "allowed": true,
      "app_domain": "test.example.com/admin",
      "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630",
      "connection": "saml",
      "created_at": "2014-01-01T05:20:00.12345Z",
      "ip_address": "198.41.129.166",
      "ray_id": "187d944c61940c77",
      "user_email": "user@example.com"
    }
  ]
}